Hi, so there are at least 2 issues to fix: - kinit admin fails - pki-tomcatd service and ipa-otpd service are stopped.
For the first issue, can you run: # KRB5_TRACE=/dev/stderr kinit admin This will print more details (if DNS resolution is used etc...) For the 2nd issue, you need to have a look at the logs in /var/log/pki/pki-tomcat/, and check for errors with # systemctl status pki-tomcatd@pki-tomcat and in the journal: # journalctl -u pki-tomcatd@pki-tomcat flo On Wed, Feb 23, 2022 at 10:35 AM Alessandro Minonzio < [email protected]> wrote: > Hi Florence, > > thanks for the support report the status of FreeIPA: > > [root@adv ~]# ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: STOPPED > ipa-otpd Service: STOPPED > ipa: INFO: The ipactl command was successful > > pki-tomcatd and ipa otpd seem to be stopped. > > > > > On Wed, 23 Feb 2022 at 10:00, Florence Blanc-Renaud <[email protected]> > wrote: > >> Hi, >> are all the IPA services up and running on the replica (the kinit error >> suggests that either krb5.conf is badly configured or the kerberos server >> isn't running on the replica)? >> Please report the output of "ipactl status". >> >> flo >> >> On Wed, Feb 23, 2022 at 9:05 AM Alessandro Minonzio via FreeIPA-users < >> [email protected]> wrote: >> >>> Hi, >>> >>> I report this issue about FreeIPA server: >>> >>> >>> ------------------------------------------------------------------------------------------------------------------ >>> >>> Request for enhancement >>> >>> A strange error is occurring when I try to access my FreeIPA. >>> Issue >>> >>> The problem occurs when I try to access the FreeIPA portal. >>> >>> "The message occurs saying IPA Error 4301: CertificateOperationError" >>> "Certificate operation cannot be completed: Unable to communicate with >>> CMS (500)" >>> >>> in Certificate Authority appear: >>> >>> "cannot connect to 'https://xyz.xxxxxhq.it:443/ca/rest/account/login': >>> <https://xyz.xxxxxhq.it/ca/rest/account/login':> [SSL: >>> SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)" >>> >>> and if I try to connect with KINIT ADMIN command on the console appear >>> this error: >>> >>> "kinit: Cannot contact any KDC for realm 'SUBITOHQ.IT' while getting >>> initial credentials" >>> Actual behavior >>> >>> Serverweb and console with kinit admin doesn't work. LDAPADMIN tool too. >>> Version/Release/Distribution >>> >>> package freeipa-server is not installed >>> package freeipa-client is not installed >>> ipa-server-4.6.5-11.el7.centos.3.x86_64 >>> ipa-client-4.6.5-11.el7.centos.3.x86_64 >>> 389-ds-base-1.3.9.1-12.el7_7.x86_64 >>> pki-ca-10.5.16-5.el7_7.noarch >>> krb5-server-1.15.1-37.el7_7.2.x86_64 >>> Additional info: >>> >>> maybe it's a problem with CA but how is the process to solve that issue? >>> The fact is that this behavior it's on a replica FreeIPA server with CA and >>> DOMAIN. There is a resolution or a command to solve that? >>> >>> >>> ------------------------------------------------------------------------------------------------------------------ >>> >>> could you help me please? >>> >>> Best regards, >>> >>> AM >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam on the list, report it: >>> https://pagure.io/fedora-infrastructure >>> >>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
